Made up
of representatives from the six major U.S. financial regulatory bodies, the
FFIEC provides frequent guidance to financial institutions, examiners and
technology service providers on business and technology practices to minimize
risk to investors and institution customers.

This newest guidance updates the
Business Continuity Planning Booklet last issued by the FFIEC in March 2003.

The most
visible change to the guidance is the requirement that all financial
institutions have a disaster plan in place should a pandemic of any sort break
out. The latest release includes vital information for financial
organizations condensed from the FFIEC’s December 2007 Interagency Statement on
Pandemic Planning. Included are minimum practices and procedures meant to address
pandemic preparedness.

The FFIEC
also advises institutions under its purview that other amendments center around
business impact analysis and testing requirements. The revision also discusses
emerging threats and lessons learned by business continuity managers during
recent disasters such as Hurricanes Katrina and Rita.

According
to a study released by Symantec in October 2007, more than 77 percent of
enterprise CEOs fail to take part in disaster recovery committees.

The changes
could also be considered a wake-up call to leadership at institutions that
depend on a patchwork of siloed-inside and outsourced- services to make up its
overall business continuity strategy.

This latest iteration of the FFIEC
guidance emphasizes the need for board and executive leadership to maintain an
enterprise-wide business continuity approach across an organization. It also
firmly places responsibility on institution leadership to closely oversee business
continuity planning even if systems are provided by a third-party service
provider.

The goal,
states the guidance, is to ensure that financial institutions are embedding business
continuity throughout the business framework and not just within IT.

“Because
financial institutions play a crucial role in the overall economy, disruptions
in service should be minimized in order to maintain public trust and confidence
in the financial system,” the new guidance states. “As such, financial
institution management should incorporate business continuity considerations
into the overall design of their business model to proactively mitigate the
risk of service disruptions.”